"net groupfilter" ?

Gerald (Jerry) Carter jerry at samba.org
Tue Dec 16 15:39:48 GMT 2008

Hash: SHA1

Hey Volker,

> On Tue, Dec 16, 2008 at 09:27:35AM -0600, Gerald (Jerry) Carter wrote:
>> This is exactly how idmap_ad[ex] works now though.  I don't see how
>> what you are proposing is a larger change.  Seems like the filtering
>> just needs to be placed in the idmap plugin and you are done.
> I wasn't sure this works fully correctly also for calls like
> wbinfo -g, getent group <groupname> for nested groups and so
> on. Sorry if I'm wrong there.

Since wbinfo -g doesn't go through NSS, there is no possibility
to filter at the SID/gid mapping layer.  For enumeration via
NSS (set/get/endgrent), this works fine.  Winbind enumerates all
groups/SIDs and then drop the ones that don't map.  I can't
remember if this is done for group members (i.e. users) in the
getgrnam() response.  If not, that is easy to fix.

It also allows the NT token to be a superset of the Unix token
if not all SIDs map to a uid/gid.

>>> The patch as posted here is the quick and dirty fix for smbd
>>> only.
>> I'm confused.  Not running Winbind implies that the Windows
>> users and groups match a local unix user and therefore you
>> shouldn't really have the > NGROUPS issue.  And if you run Winbind,
>> Just add the filter to the idmap backend and case closed.
>> So the smbd-only patch is really the wrong place to solve it IMO.
>> Am I explaining myself ok?
> Yes, thanks. I'll keep this locally until I've come up with
> a proper, acceptable patch.
> Thanks for the review,

Np.  Good luck.

cheers, jerry
- --
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list